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Introduction 


The UK Government can assess whether another country, territory or an 
international organisation provides an adequate level of data protection 
compared to the UK. An adequacy assessment may cover either general 
processing, or law enforcement processing, or both. The Government 
must consider a range of factors and ensure that sending personal data to 
that country, territory or international organisation does not undermine 
people’s protections. 


Some countries may have a substantially similar level of data protection 
to the UK. In these cases, the Government can make UK adequacy 
regulations. This allows organisations to send personal data to that 
country, territory or international organisation if they wish. 


We support the Government in undertaking adequacy assessments and 
making regulations to enable personal data to flow freely in our global 
digital economy to trusted partners. We do this by providing independent 
assurance on the process followed and the factors that government 
officials take into consideration. This allows the Secretary of State to 
make an informed and reasonable decision. By doing this work once for 
everyone, the Government and the ICO are reducing the burden of 
compliance on organisations that would otherwise have to put alternative 
measures in place. 


One of our priorities for this year, as set out in our ICO25 strategic plant, 
is to “enable international data flows through regulatory certainty”. This 
includes our work on adequacy assessments. We provided advice to the 
Government during this assessment of the Republic of Korea (also known 
as South Korea). Now that the Government has laid the regulations, we 
are publishing this Opinion to set out our views on the process and the 
Government’s conclusion. 


Key Finding 
The Information Commissioner (the Commissioner) considers that it was 
reasonable for the Secretary of State to conclude that the Republic of 


Korea provides an adequate level of data protection and to lay regulations 
to that effect. 


1 1CO25 strategic plan 
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He also advised there are particular aspects that the Secretary of State 
should monitor. These are detailed later in this Opinion. 


About this Opinion 


Who is this Opinion for? 


This Opinion is primarily for Members of the UK Parliament to consider 
alongside the UK adequacy regulations laid by the Secretary of State. 


It may also interest the wider public, data protection professionals and 
organisations that already transfer personal data to the Republic of Korea 
or who are considering doing so. 


What is an adequacy assessment? 


The UK’s data protection laws set out a framework for the responsible use 
of personal data by organisations. People may lose this protection when 
organisations transfer their personal data to organisations in other 
countries or to international organisations not subject to national laws. 
This is why the UK General Data Protection Regulation (UK GDPR) has 
specific rules on how to make international transfers of personal data. 
These rules mean that organisations must protect people’s personal data 
or one of a limited number of exemptions must apply. 


One way that UK organisations can transfer personal data internationally 
is by relying on UK adequacy regulations made by the Secretary of State. 
The Secretary of State can assess a country, territory or international 
organisation or a particular sector in a country or territory, and decide if 
its legal framework offers a similar level of data protection to the UK. 


Article 45 of the UK GDPR contains a list of criteria the Secretary of State 
must consider when carrying out an adequacy assessment. 


2 An international organisation is defined by the UK GDPR as “an organisation and its 
subordinate bodies governed by public international law, or any other body which is set 
up by, or on the basis of, an agreement between two or more countries”. 
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Criteria to be considered in an adequacy assessment? 


2. When assessing the adequacy of the level of protection [...], the 
Secretary of State shall, in particular, take account of the following 
elements: 


a) the rule of law, respect for human rights and fundamental freedoms, 
relevant legislation, both general and sectoral, including concerning 
public security, defence, national security and criminal law and the 
access of public authorities to personal data, as well as the 
implementation of such legislation, data protection rules, professional 
rules and security measures, including rules for the onward transfer of 
personal data to another third country or international organisation 
which are complied with in that country or international organisation, 
case-law, as well as effective and enforceable data subject rights and 
effective administrative and judicial redress for the data subjects whose 
personal data are being transferred; 


b) the existence and effective functioning of one or more independent 
supervisory authorities in the third country or to which an international 
organisation is subject, with responsibility for ensuring and enforcing 
compliance with the data protection rules, including adequate 
enforcement powers, for assisting and advising the data subjects in 
exercising their rights and for cooperation with the Commissioner; and 


c) the international commitments the third country or international 
organisation concerned has entered into, or other obligations arising 
from legally binding conventions or instruments as well as from its 
participation in multilateral or regional systems, in particular in relation 
to the protection of personal data. 


If the Secretary of State decides the country, territory or international 
organisation, or a particular sector in a country or territory, provides an 
adequate level of data protection after considering all the above criteria, 
they can make regulations to give legal effect to their decision. 


These adequacy regulations allow UK organisations to transfer personal 
data to a controller or processor located in a third country or to an 
international organisation. The transfer must adhere to the particular 
scope of those regulations. 


3 Article 45(2), UK GDPR 
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What is the Commissioner’s role in adequacy 
assessments? 


Article 36(4) of the UK GDPR requires the Secretary of State to consult 
the Commissioner when preparing a proposal for a legislative measure 
which relates to processing. The Secretary of State must also consult the 
Commissioner before making regulations under the Data Protection Act 
2018 (DPA 2018).* 


The Secretary of State for Digital, Culture, Media and Sport (DCMS) and 
the Information Commissioner entered into a Memorandum of 
Understanding (MoU) on the role and responsibilities of the ICO in relation 
to DCMS’s work on UK adequacy assessments and regulations.” 


As set out in the MoU, DCMS consults the Commissioner at various stages 
in their process. He offers advice and comments on the information 
provided. However, it is not for the Commissioner to make his own 
assessment of the adequacy of another country, territory or international 
organisation. He provides an independent assurance on the process 
followed and the factors that DCMS officials take into consideration. This 
allows the Secretary of State to make an informed and reasonable 
decision. 


The MoU also says that the Commissioner may provide an Opinion to 
Parliament, including on the DCMS process and factors they take into 
account. These Opinions recognise that different countries have different 
ways of ensuring adequate levels of data protection. 


Assessment of the Republic of Korea 


In August 2021, the Secretary of State announced that the Government 
would assess the Republic of Korea for adequacy under the UK GDPR.® 


DCMS‘s assessment considered the level of data protection in the Republic 
of Korea provided by the: 


e Personal Information Protection Act and the Enforcement Decree of 
the Personal Information Protection Act, 


4 Section 182(2), DPA 2018 

5 Memorandum of Understanding (MoU) on the role of the ICO in relation to new UK 
adequacy assessments 

6 DCMS, International data transfers: building trust, delivering growth and firing up 
innovation, 26 August 2021 
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e The Credit Information Use and Protection Act and the Enforcement 
Decree of the Credit Information Use and Protection Act, and 
e The Supplementary Rules. 


It obtained information from: 
e the legislation itself; 
e other desk-based research; and, 


e discussions and correspondence with representatives of the 
Personal Information Protection Commission and the Financial 
Services Commission of the Republic of Korea. 


The Commissioner’s Opinion on the adequacy 
assessment of the Republic of Korea 


DCMS officials provided copies of a significant amount of the information 
gathered about data protection in the Republic of Korea for review. DCMS 
officials responded positively to the ICO’s suggestions of areas to clarify, 
and they explored these further. Therefore, the final assessment is based 
on an appropriate range and depth of relevant factual information. The 
Commissioner provided advice to the Secretary of State. He gives this 
Opinion, based on that information. 


The assessment considered all the criteria for adequacy listed in article 45 
of the UK GDPR to the appropriate extent. 


The Commissioner considers that it was reasonable for the Secretary of 
State to conclude that the Republic of Korea provides an adequate level of 
data protection and to lay regulations to that effect. 


The Commissioner is therefore pleased to offer Parliament his assurance 
as it considers the regulations. 


Review and ongoing monitoring 


The Secretary of State can review the adequacy of the Republic of Korea 
at any time, if they become aware of a significant change in the level of 
data protection that applies to personal data transferred from the UK. 
They also have the power to revoke or amend the regulations if 
necessary, to ensure organisations can only freely transfer personal data 
where there are sufficient safeguards in place. 
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In any event, the Secretary of State must undertake a review of the level 
of data protection in the Republic of Korea every four years from the date 
the regulations come into force. 


The Secretary of State is also required to monitor, on an ongoing basis, 
developments in a country, territory or international organisation which is 
the subject of UK adequacy regulations. 


We considered whether any of the information we reviewed highlighted 
particular aspects that the Secretary of State should monitor. We advised 
her to monitor: 


e developments related to automated decision-making given the 
judgement that the current absence of legislative protection is 
unlikely to affect personal data transferred from the UK; 


e the effectiveness in practice of the protections for personal data 
transferred to religious organisations for missionary purposes and to 
political parties for the nomination of candidates since the full 
requirements of the Korean Personal Information Protection Act do 
not apply in these cases; and 


e the progress of proposals to amend the relevant laws in the 
Republic of Korea and the impact those proposals would have on 
personal data transferred from the UK. 


In the course of his duties, the Commissioner, or his staff, may become 
aware of information that suggests the Republic of Korea no longer 
provides adequate data protection. Should that happen, he will inform the 
Secretary of State and may recommend they undertake a review of the 
regulations. Depending on the circumstances, he may revise this Opinion 
accordingly. 


What is the status of this Opinion? 


The Commissioner has several powers and functions around UK adequacy 
assessments. This includes section 115(3)(a) of the DPA 20187. This gives 
the Commissioner a duty to advise the UK Parliament and Government, 
amongst others, on legislative and administrative measures. A key part of 
this links to the protection of people’s rights and freedoms relating to the 


7 Another example is article 57(1)(c) of the UK GDPR. 
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processing of personal data under the UK GDPR. UK adequacy regulations 
fall within this remit. 


There is also section 115(3)(b) of the DPA 20188 which allows the 
Commissioner to issue Opinions to Parliament, the Government, other 
institutions and bodies and the public. They can cover any issue about the 
protection of personal data. The Commissioner can issue Opinions either 
on his own initiative or on request. 


This Opinion sets out the Commissioner's view of the adequacy 
assessment process followed and factors taken into consideration by the 
Secretary of State for DCMS for the Republic of Korea under section 17A 
of the DPA 2018 and article 45 of the UK GDPR. 


8 See also article 58(3)(b) of the UK GDPR. 


